Hello guys!
I tried to set up syslogd override on FortiGate-1200D-VDOM 6.2 patch 6 and it didn't work, as soon as I has been implemented the device stopped sending logs to our Qradar ( see the config bellow).
Need help to try to fix it please:
config log setting set syslog-override enable end config log syslogd override-setting set status enable set server "209.134.187.181" set facility local1 end config log syslogd4 override-setting set status enable set server "10.4.213.7" set facility local1 set source-ip "10.11.1.164" end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you sure your syslog server understand "default" text format? Not csv format?
Yes, it does, we don't use CVS on this one!
If you're confident about config under "config log syslogd override-filter", I would just sniff port 514 traffic on the vdom interfaces (I assume those are different because the server IPs are public and private) if it's actually sending log out.
Thank you for your support and patience on this! The filter goes to all servers I am assuming as well as port 514 ?
See bellow possible configuration:
config log syslogd override-setting set status enable set server "209.134.187.181" set port 514 >>>>>>>>>>>>>>>>>>>>. set facility local1 end config log syslogd override-filter set severity information set forward-traffic enable set local-traffic enable set multicast-traffic enable set sniffer-traffic enable set anomaly enable set voip enable set dns enable set ssh enable set ssl enable end config log syslogd4 override-setting set status enable set server "10.4.213.7" set port 514 >>>>>>>>>>>>>>>>>>>>> set facility local1 set source-ip "10.11.1.164" end config log syslogd syslogd4 override-filter set severity information set forward-traffic enable set local-traffic enable set multicast-traffic enable set sniffer-traffic enable set anomaly enable set voip enable set dns enable set ssh enable set ssl enable end
filters are separated under
config log syslogd override-filter
config log syslogd4 override-filter
Again, if you do
diag sniffer packet any 'port 514" 4
you would see both log packets including the interface names they're going out.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.